2022-04-19 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of April 2022.

Jira No	Summary	Description	Status	Solution

Summary	Description	Status	Solution
LFN Developer & Testing Forum	Event June 13th-16th Porto, Portugal Please register: https://events.linuxfoundation.org/lfn-developer-testing-forum/	started
	SECCOM topics proposal: SECCOM retrospectives: Log4j fix implementation in Istanbul Maintenance Release Jakarta security status update Kohn security goals Security PoCs: logging req code quality service mesh SBOM enablement and maintenance, and packaging Waiver policy update Unmaintained projects joint meeting with Thomas and Andreas, Chaker and Byung. On the road to gold badge - Tony and Toine others? Operator perspective on ONAP security - Brian? Fabian?	started	Topic proposals to be submitted. Brian to share what kind of security due diligence is performed by BellCanada. ONAP is used for 5G slicing orchestration. Bug in SBOM software - ticket was opened to LFN IT by Vijay.
ONAP unmaintained and deprecated functions	Amy presented process for all possible use cases with execution and planning phases. Slide deck with modifications included	started	Modifications to be provided by Amy based on the discussion held - done
Logging update	Majority of the fields implemented in CPS. 2 topics to be addressed: ordering if the fields format of how would be outputed	ongoing	Synch with Byung on architecture.
Synch with OOM	Security dashboard: https://logs.onap.org/onap-integration/daily/onap-daily-dt-oom-master/2022-04/05_09-02/ and Versions reporting: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/2022-02/25_20-26/security/versions/versions.html to be run by Michal for the weekend Failing security tests: fix nonssl_endpoints in Jakarta release: 1.SDC-3954 - open 2.SDNC-1692 - open 3.OOM-2957 -open fix root_pods in Jakarta release: 1.OOM-2958 - open 2.INT-2104 - open	ongoing	Michał to run additional run to get status update. As none of the tickets were progressed - issue to be escalated at the TSC.
Kohn SECCOM Global Requirements	-[REQ-437 -> REQ-800 ] -> REQ-1067 -> REQ-1208 COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8) -[REQ-438 -> REQ-801] -> REQ-1068 -> REQ-1209 COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11) -[REQ-439 -> REQ-863] -> REQ-1066 -> REQ-1211 CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES -[REQ-443] -> REQ-1069 -> REQ-1210 CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL	started	Logging requirment - target full PoC for Kohn and then Global Requirement for London release.
5Y asessment	Dedicated teams in projects for security. We have security tests at the Integration level but usually no delegated security expert.	ongoing	Hardening validation process might not exist at all for some ONAP projects.
SECCOM MEETING CALL WILL BE HELD ON 26th OF April'22.

Recording:

SECCOM presentation: